[Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?
Chris Dagdigian
dag at sonsorol.org
Wed Nov 23 13:54:25 UTC 2016
100% correct. We are OK with losing GSSAPI authentication if we can
operate in a different DNS domain than
the IPA server that "glues" together all of our various Active Directory
trusts. We want password authentication
from Active Directory as our main concern with role-based access control
coming in as a strong second desire.
The Redhat/IPA documentation and links that Alexander posted below on
this are quite good and the issues on our end have generally come
from following more generic deployment instructions that don't cover the
different-DNS-domain situation.
The quality of technical insight on this list has been fantastic. If our
"different DNS" setup is of interest to
others I'd be happy to write up our architecture and configurations in
more detail once this project settles
down. At the very least I should be able to prepare a concise "lessons
learned" summary that details the
configuration settings that deviate from the norms advised in the more
general-purpose instructions.
Regards,
Chris
Alexander Bokovoy wrote:
>> Apologies I must have been unclear. What I was trying to say is that
>> we are going for the "hosts in the different DNS domain" deployment
>> scenario ...
>>
>> - We have unique domain name and realm for IPA: company-ipa.org
>> - We use company-aws.org in AWS and have our own Active Directory
>> servers for: company-aws.org
>> - We want to use ipa-client to bind our servers to company-ipa.org
>> but use DNS names from company-aws.org for operation
>>
>> Our end goal:
>> - We have many external AD forests we are linking to company-ipa.org
>> one at a time
>> - End goal: operate hosts with DNS name "company-aws.org" as IPA
>> clients of "company-ipa.org" using AD logins coming from the external
>> trusts
> This setup should work with password-based authentication. It will not
> work with GSSAPI (Kerberos) authentication. I think this is what you are
> aware of and accepted as the limitation.
>
> For the benefit of others, here is the list of articles and
> documentation of the topic of mixed DNS domains/hostnames with Active
> Directory:
>
> - High-level description:
> http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/
>
> - Documentation chapter:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#ipa-in-ad-dns
>
>
> - Technical details:
> http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
>
> There is nothing we can do with the Active Directory limitations beyond
> these documents.
>
More information about the Freeipa-users
mailing list